NSA surveillance violated privacy rules thousands of times

Remember that domestic spying program that President Obama swore we don’t have? Well, it turns out the NSA violated privacy rules or overstepped its legal authority 2,776 times since the program Obama claims does not exist got kicked into high gear in 2008. There was an audit, which the Most Transparent Administration In History wouldn’t even share with Congress, until whistleblower/traitor/defector Edward Snowden got his hands on the audit and handed it over to the Washington Post. The Post says it received these documents “earlier this summer,” but for some reason decided to sit on them until now.

Apparently Senate Intelligence Committee chair Dianne Feinstein (D-CA) was unfamiliar with this information until the Post asked her staff about it. The Senator then issued a queasy statement that her committee “can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate.” How, if you’re not privy to the audits? You won’t be getting any more of them from Edward Snowden, Senator Feinstein.

Speaking of Snowden, a Reuters report on Thursday said he “began downloading documents describing the U.S. government’s electronic spying programs while he was working for Dell Inc in April 2012, almost a year earlier than previously reported, according to U.S. officials and other sources familiar with the matter.” That’s a stunning indictment of internal security at the agencies so preoccupied with monitoring our activities. It doesn’t exactly instill confidence that our meticulously harvested personal information is being carefully guarded by the harvesters.

As to these NSA privacy violations, about ten percent of them are “typographical errors in which an analyst enters an incorrect query and retrieves data about U.S phone calls or e-mails.” Ah, so they wind up spying on innocent people by accident because they typed the request wrong. That makes me feel a lot better.

How about the other 90 percent of those 2,776 violations, Washington Post?

The more serious lapses include unauthorized access to intercepted communications, the distribution of protected content and the use of automated systems without built-in safeguards to prevent unlawful surveillance.

Uh-oh. That doesn’t sound good.

One major problem is largely unpreventable, the audit says, because current operations rely on technology that cannot quickly determine whether a foreign mobile phone has entered the United States.

Well, that’s an annoying technical violation and legally troubling, but it least it began with surveillance of foreign mobile phones. Maybe this isn’t so awful after all…

The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.

[...] In what appears to be one of the most serious violations, the NSA diverted large volumes of international data passing through fiber-optic cables in the United States into a repository where the material could be stored temporarily for processing and selection.

The operation to obtain what the agency called “multiple communications transactions” collected and commingled U.S. and foreign e-mails, according to an article in SSO News, a top-secret internal newsletter of the NSA’s Special Source Operations unit. NSA lawyers told the court that the agency could not practicably filter out the communications of Americans.

[...] In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a “large number” of calls placed from Washington when a programming error confused the U.S. area code 202 for 20, the international dialing code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff.

In another case, the Foreign Intelligence Surveillance Court, which has authority over some NSA operations, did not learn about a new collection method until it had been in operation for many months. The court ruled it unconstitutional.

Oh, crap. I take it back. That is awful. Especially since the people guarding all this data don’t seem to have the best internal security. And the total number of violations is probably much higher, because this particular audit “counts only incidents at the NSA’s Fort Meade headquarters and other facilities in the Washington area.” Also, the NSA doesn’t spend a lot of time beating itself up when it accidentally scoops up data on innocent Americans:

The NSA uses the term “incidental” when it sweeps up the records of an American while targeting a foreigner or a U.S. person who is believed to be involved in terrorism. Official guidelines for NSA personnel say that kind of incident, pervasive under current practices, “does not constitute a . . . violation” and “does not have to be reported” to the NSA inspector general for inclusion in quarterly reports to Congress. Once added to its databases, absent other restrictions, the communications of Americans may be searched freely.

In one required tutorial, NSA collectors and analysts are taught to fill out oversight forms without giving “extraneous information” to “our FAA overseers.” FAA is a reference to the FISA Amendments Act of 2008, which granted broad new authorities to the NSA in exchange for regular audits from the Justice Department and the Office of the Director of National Intelligence and periodic reports to Congress and the surveillance court.

To paraphrase the famous Las Vegas slogan, “what happens at Ft. Meade stays at Ft. Meade.” Some people are uncomfortable with oversight coming from those secretive FISA courts, but now it looks like even the star-chamber guys don’t have the full story. A top NSA official interviewed by the Washington Post admitted this looks bad, but sought to calm the fears of nervous privacy advocates by… well, I’m not sure what he’s trying to say here:

“I realize you can read those words a certain way,” said the high-ranking NSA official who spoke with White House authority, but the instructions were not intended to withhold information from auditors. “Think of a book of individual recipes,” he said. Each target “has a short, concise description,” but that is “not a substitute for the full recipe that follows, which our overseers also have access to.”

Which overseers? The FISA courts you’re teaching analysts to keep in the dark? Who decides which material is “extraneous?” Who oversees these overseers?

Judging by polling responses, the American people are fairly comfortable with widespread surveillance activities, which they believe are important to fighting the War on Terror. But they also want assurances of oversight, accountability, and careful protection of sensitive data. Our rights to privacy, and the presumption of innocence, are threatened by lapses in protocol when dealing with huge accumulations of data collected on the general population. It’s not comforting to know that so many violations have occurred, and the audit that uncovered them was itself kept secret. We are expected to take an awful lot on faith, and the Administration hasn’t exactly been forthcoming since the story broke.

“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official said in an interview, speaking with White House permission on the condition of anonymity.

“You can look at it as a percentage of our total activity that occurs each day,” he said. “You look at a number in absolute terms that looks big, and when you look at it in relative terms, it looks a little different.”

That’s the problem in a nutshell. The Administration says a couple thousand violations are no big deal, because they’re collecting and analyzing such a huge amount of data. That’s their defense. But to critics, it’s an accusation. It’s precisely what they’re worried about. The sheer scale of these surveillance activities, and the inherent necessity of keeping so many details secret, are balanced against the public’s desire for both security and accountability. This wouldn’t be the first time a basically sound idea was taken to disturbing extremes.